Community discussions

MikroTik App
 
HardHat
just joined
Topic Author
Posts: 1
Joined: Tue May 01, 2012 1:10 pm

Disgruntled Employee

Tue May 01, 2012 1:14 pm

Hi,

I have reently gotten rid of an employee, and it wasnt good terms, i am enquiring if there is a way that the routerbaords that this employee was in charge of hasn't been setup as rogue?. In other words what can i look for to see there isnt anything rogue going on, on the router, either rogue dns, or vpn, something that is setup to monitor traffic and log passwords and private information, since these routers are based at customers premises, it would be a big job if i have to reload them...
 
User avatar
theWISP
Member Candidate
Member Candidate
Posts: 114
Joined: Fri Sep 12, 2008 4:13 am
Contact:

Re: Disgruntled Employee

Tue May 01, 2012 5:29 pm

Been there!

So first is for you to truly evaluate if he would do something, secondly for what reason (to gain what). Essentially paranoia can cause alot of wasted time. Next, did you have him sign anything either during employment or termination that stated that information gained by employment is not to be used for any other reason, and the understood consequences?

Now to the root of your question. Your looking for a needle in a haystack, so you need to narrow it down as to which customers of yours he would most likely target? Which core devices on your infrastructure might he want to compromise? Change the passwords on all of your infrastructure in the least. Then I would take a look at those most likely devices, and run torch for awhile to see if you can see anything out of the ordinary. You can also do the same on one of your core devices, preferably during non-peak hours to help limit the traffic you are seeing. You can filter out dns,http,https,pop3,smtp,imap, etc from your torches, this will help.

There are so many different ways to configure a routerboard to do the same things, that unfortunately theres not much that you can just go look for in specific. Obviously you will look at the firewall to see if there are some redirects, port forwards, interface mirroring, etc.

If you are really adimit and worried about your CPE's, it wouldnt take to terribly long to log into each cpe and export a config file. Then using the milliscript program found on this forum, compare a known good cpes configs to each config on your network. This will quickly point out config differences.

I hope this helps and good luck!
 
Devil
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Jul 21, 2011 9:13 am

Re: Disgruntled Employee

Wed May 02, 2012 4:49 pm

I would start by looking at the scripts and scheduler . make sure everything there makes sense, and all the scripts are things that you need. next step is checking the users section, change the passwords, remove ssh keys. then make sure there is no vpn connection has been made or could be made. check interfaces, ppp , ipsec ,... . go to /ip services, disable services you don't need. check your routing table, your nat rules, specially dstnat ones. and the most important part, check your filter rules. forward,input and output chains. only allow connections that you need and drop the rest. even in output chain.

Basically, you need to check everything. you could also use /export compact , to see all the settings in one place. that's going to take some time. but it could be done.

good luck

Who is online

Users browsing this forum: Amazon [Bot], astelsrl, Bing [Bot], fibracapi and 85 guests